A citizen with basic knowledge of technology “will never know that they are being monitored” through the Russian SORM spying system, according to Gaspar Pisanu, Latin America Policy Manager for Access now, an international NGO that focuses on the digital rights of internet users.
According to a report by US researchers Douglas Farah and Marianne Richardson, the regime of Daniel Ortega and Rosario Murillo has been using the System for Operational Research Activities (known as SORM, its acronym in Russian) in Nicaragua for the purpose of spying since 2018. The SORM-3 version has been implemented in the country.
The cybersecurity expert stressed that this version “has become very technical, to a point where we don't know all the things it is capable of doing.”
“Broadly speaking, (SORM-3) doesn't affect devices, but it gets in the middle of communications. Let's picture that we’re having a conversation in the street and a person gets in the middle and listens to everything we are saying,” Pisanu explained in an interview with the program Esta Noche.
The SORM platform is used by Russia and other former Soviet nations “for phone and internet surveillance and allows operators to monitor credit card transactions, email, phone calls, text messages, social networks, wifi networks, and forum postings,” according to U.S. Government information provided by Farah to CONFIDENCIAL.
Pisanu noted that diplomatic and training relations with Russia “may include, in part, incentives to develop a system similar to SORM; it may involve the sanctioning of certain regulations or the acquisition of certain technologies. That is why we say, precisely, that SORM is deployed in different ways, in different countries”.
How does the so-called System for Operational Research Activities, better known as SORM, work?
The SORM system is a technical framework that includes both technologies and laws, and was initially developed by the former Soviet KGB in the late 1980s and then replicated by countries in Central Asia and Western Europe, with different characteristics in each of the countries.
It should be understood as a legal framework because it includes regulations that provide law enforcement and security agencies with the ability to monitor, store and filter information on commercial mobile and Internet traffic.
When this system was first developed, it was designed to intercept fixed-line communications. Newer versions are now beginning to include cell phone and internet communications as well. All this is always under the justification of national security. It is often called, in technical terms, the backdoor of the Internet and communications, for the Russian Federal Security Service.
SORM has had different stages: SORM-1 was, precisely, the intervention of telephone communications by land; SORM-2, is already starting to focus on the Internet; and SORM-3 is the most complex stage of this program, where it allows not only access to communications, but also the processing, filtering, and storage of the data obtained by the intervention of these communications, and of the activity carried out by the users on the Internet.
What devices are vulnerable or can this system intervene?
It is not like other infection systems that attack the device. SORM-3 has become very technical, to the point where we don't know all the things it is capable of doing. Generally speaking, it doesn't affect devices, but it gets in the way of communications. Let's imagine that we have a conversation in the street and a person gets in the middle and listens to everything we are saying; that is a little bit the way this works, it is also known as middleman attacks, precisely because it is a person in the middle.
The information it is capturing, in telephony systems, is: who are the people who are talking, where they are talking, when they did it and the content, that is, what is being talked about. On the Internet, what it does is the collection of the most varied activities that one can have, from emails, and the content that people post on networks, to the transactions made with credit cards.
Does this system have the ability to read and extract messages from applications with end-to-end encryption, such as WhatsApp or Signal?
It is difficult to give an accurate answer. These technological issues and the arrangements that governments make: how they use it or what they use, are extremely non-transparent. It is very difficult, both for journalism, as well as for activism, civil society, and academia, to have certainties about how these systems work, and what level of development they have reached. Given this, you cannot be sure that they are not able to break the encryption that exists in end-to-end encrypted communications.
However, it is always a good practice to use such direct messaging applications, which also include encrypted calls. Encryption avoids this person in the middle; going back a bit to the analogy of people having a conversation in the street, it would be like those two people communicating in a language that can never be understood by that third person who got in the middle.
The same happens, for example, with the use of VPNs, these virtual secure local area networks, which work in a similar way, avoiding sharing all the information with the telephone and Internet service provider. Some of these VPN services even allow encryption of the information transmitted over these lines. As a practice, it is always advisable to use this type of service, especially if we are talking about governments that have a history of monitoring their citizens and anyone who may be considered opposition.
Is it possible to know if we are being spied on under the SORM system?
In general, a person with basic knowledge (of technology) will never know that he/she is being monitored through this system. There is research that uses different mechanisms to detect certain traffic redirections, i.e. that it is not reaching the person I am sending the message to, but it is reaching another person first and then the person I was sending it to. But nowadays, surveillance technologies have advanced so much that it is becoming increasingly difficult to detect them.
What are the main ways to protect ourselves or to avoid intervention on our cellphones and internet connections?
There are two levels of protection: the first level, which is what every citizen should have, is protection at the state level. It has to do with regulating the use of surveillance tools, in many cases prohibiting them, because they directly interfere with human rights. In many contexts in different countries, this is practically impossible, the States make a great effort to do this in a completely obscure way, without any kind of regulation.
On a personal level, use these direct messaging services with end-to-end encryption, apps like WhatsApp or Signal; use VPN systems; use double authentication factors for all social network accounts. And also be aware of the things that are being published, what is the risk we are exposing ourselves to.
We have to be aware that, even if we take all the digital security measures, there is a possibility that we are being watched, and it is very difficult to fight against it; that is why I believe that journalistic work is so crucial, to reveal these cases and generate pressure.
Diplomatic relations with Russia
And do you have information about which Latin American countries are using this surveillance system?
Not specifically. We know that there are diplomatic relations between many countries in the region and Russia, which developed this system. These diplomatic and training relations may include, in part, incentives to develop a system similar to that of SORM; this may imply the sanction of certain regulations or the acquisition of certain technologies. That is why we say, precisely, that SORM is deployed in different ways, in different countries.
The problem is that today in Latin America there is a very high degree, or rather, little or no transparency in the use of surveillance systems, which makes it difficult to assert that there are no governments that are using them. This happens with simple acquisitions, for example, such as security cameras used for traffic control; they do not want to give us information on these issues. So, imagine a program as complex as SORM.
This article was originally published in Spanish in Confidencial and translated by our